Monday, May 22, 2017

In one of my previous posts I showed how to create new Azure AD group and add owners via MS Graph client library: Create Azure AD group and set group owner using Microsoft Graph Client library. In this post I will also show how to set owners for existing groups, which will also include deleting of previous owners. The same approach may be used for adding and deleting group members (instead of Owners use Members property of Group class). In order to synchronize Azure AD group owners use the following method:

Method SetAzureGroupOwners() receives reference to the Azure AD group and list of users which should be set as owners. Please note that we are talking here about replacing existing owners on new ones, i.e. we need not only to add new owners but also delete those existing owners which don’t exist in this list. So at first we add new owners (lines 10-24) and then remove missing existing owners (lines 26-40). At the end group will only have those owners which are passed in the list to the function.

In this article we will continue to get familiar with the MS Graph client library and see how to update Azure AD group programmatically. Examples in this post will use the same AzureAuthenticationProvider class for authenticating against Azure AD as in examples provided above so I won’t duplicate it here.

Here is how we can rename Azure AD group programmatically using MS Graph client library:

At first in method retrieveGroup() we get reference on the Group object and update group’s DisplayName property (lines 7-9). Then we create GroupRequest object and call it’s UpdateAsync method (lines 11-13) and wait until request will be processed (lines 15-19). After that group will appear in Azure portal with new name. But note that if group was already used in Sharepoint Online site (e.g. for granting permissions on some site) changes won’t be synced here automatically – you will need to sync user profiles and then update user data in User information list.

Thursday, May 4, 2017

In one of our projects we used provider-hosted app which runs on Azure web site and accesses data in Sharepoint Online site (host web). In this host web there is a list with unique permissions and app needed to make changes in the list items there. Users which used the app not always had edit rights on this list and attempts to change list item caused the following exception:

Access denied. You don't have permissions to perform this action or access this resource.

Problem was caused by the app’s code which uses user client context token:

With client context app’s code is only allowed to perform actions which are allowed for the current user. I.e. if user doesn’t have permissions to edit list items in the list, app’s code will fail with Access denied exception shown above.

In order to fix the issue we need to run our code under “elevated privileges”, which in case of app development model means that we need to use app only permissions. SharePointContext class has different method for obtaining app-only client context:

But it is only half. Second step is to allow our app to use app-only permissions. Without that changes described above won’t give any effect. In order to allow the app to use app-only permissions we need to add AllowAppOnlyPolicy="true" attribute to AppPermissionRequests tag inside app manifest and re-install the app through App catalog. Also it is possible to update AppPermissionRequests for already installed app without re-installation. In order to do that go to http://example.com/_layouts/15/appinv.aspx page (where instead of http://example.com you should use your Sharepoint Online tenant), specify app id in the textbox, click Lookup button and specify the following permissions xml:

(in this example apps get Full control over whole site collection. You need to use your own permissions there. The important part now is that AppPermissionRequests tag has AllowAppOnlyPolicy="true" attribute). After that click Create button and then Trust it on the opened window.

Note that if you specify AppPermissionRequests with scope starting from site collection like shown above and less (web, list) it is enough to have site collection admin rights for updating the app. But if you change app permissions on the tenant level (Scope=”http://sharepoint/content/tenant”) you should have tenant admin permissions (see permission scopes in the following article: Add-in permissions in SharePoint 2013).

After these steps app should be able to execute code with elevated privileges using app-only permissions.

About Me

I've created this blog for sharing my technical experience in software engineering. Most of posts will be dedicated to Sharepoint. But I will write also about another areas of software development for .Net platform. Hope it will be useful and will help you in your work.